Authentication
This section outlines the preferred authentication protocols and methods for secure access and guides application owners in choosing the right one for their application.
Supported Protocols
The following protocols are supported by PwC Identity, listed by preference:
| Authentication Protocol | Description |
|---|---|
| SAML Security Assertion Markup Language | A federated protocol used for Cross-Domain Single Sign-On (CDSSO). |
| WS-Federation | Microsoft protocol primarily used for .NET-based applications. |
| OAuth2 | OAuth2 is an open standard for authorization, allowing a third-party application to get limited access to a user's data on another service. |
| OIDC OpenID Connect | A modern authentication standard built on OAuth 2.0. Detailed grant flows & their support are listed in the ensuing summary table. Implicit Grant Flow is deprecated per industry security best practices & strong cyber posture. |
OAuth2 Grant Flows
Summary Table
| Grant Type | Use Case | Security Level | Status |
|---|---|---|---|
| Authorization Code | Server-side web apps | High | |
| Implicit | SPAs (deprecated) | Low | |
| Client Credentials | Server-to-server communication | High | |
| Resource Owner Password | Trusted clients (deprecated) | Low | |
| Device Authorization | Limited-input devices (e.g., IoT) | High | |
| Refresh Token | Token renewal | High | |
| Authorization Code with PKCE | SPAs and mobile apps | High |
For detailed protocol specifications and endpoint configurations, refer to Section 4.0 of the Application Integration Guide.
Authentication Options
- Certificate-Based Authentication: Standard method for internal users on PwC managed devices on PwC Network.
- Password-Based Authentication: Standard method using username and password credentials.
- Password Fallback MFA: One-Time Password (OTP) sent via SMS or email when primary authentication fails.
- MFA (Entrust): Strong multi-factor authentication using Entrust tokens.
- MFA with "Trust My Device": Allows device recognition for smoother user experience while maintaining security.
Details on each authentication level for internal and external users are available in Section 4.3 of the Application Integration Guide.
Session Lifetimes
PwC Identity does not have a maximum idle timeout or maximum session setting. Hence, to make sure that your application times out an inactive user and renews the authenticated session at a frequency mandated by the ISP requirements, you will need to:
- Remove and revoke the application session cookies and cache.
- Call the Entra ID logout URI.
- Initiate a fresh authentication session.
Refer to Session Management of the Technical Integration Guide for more information.
Recommendations
- Prefer OIDC with OAuth2 for new applications due to its enhanced security and flexibility.
- Ensure callback URLs are absolute and comply with OAuth2 specifications &standards.
- Ensure SAML & Ws-Fed requests are signed.
- Ensure OAuth2 & OIDC tokens are validated.
- Avoid using wildcards in redirect URIs.
- Avoid using localhosts in redirect URIs.
- Avoid using HTTP in redirect URIs and ensure always HTTPS URIs are used.
- Choose authentication methods based on user type and risk profile.
- Implement MFA for all sensitive or privileged access.
- Use fallback mechanisms to ensure accessibility without compromising security.